Java – security role ref does not work properly

2020-08-02 • Java

These are my web XML content

<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
     version="3.0" Metadata-complete="true">
  <servlet>
    <security-role-ref>
      <role-name>MY_GROUP_NAME</role-name>
      <role-link>REGISTERED_USER</role-link>
    </security-role-ref>
  </servlet>
  <servlet>
    <servlet-name>action</servlet-name>
    <servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
    <init-param>
      <param-name>config</param-name>
      <param-value>/WEB-INF/struts-config.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <resource-ref>
    <description>My datasource</description>
    <res-ref-name>jdbc/XXXXXXXX</res-ref-name>
    <res-type>javax.sql.DataSource</res-type>
    <res-auth>Container</res-auth>
  </resource-ref>
  <security-constraint>
    <display-name>Example Security Constraint</display-name>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <!-- Define the context-relative URL(s) to be protected -->
      <url-pattern>/protected/`*`</url-pattern>
      <!-- If you list http methods,only those methods are protected -->
      <http-method>DELETE</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
    </web-resource-collection>
    <auth-constraint>
      <!-- Anyone with one of the listed roles may access this area -->
      <role-name>tomcat</role-name>
      <role-name>role1</role-name>
      <role-name>REGISTERED_USER</role-name>
    </auth-constraint>
  </security-constraint>
  <!-- Default login configuration uses form-based authentication -->
  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>Example Form-Based Authentication Area</realm-name>
    <form-login-config>
      <form-login-page>/protected/login.jsp</form-login-page>
      <form-error-page>/protected/error.jsp</form-error-page>
    </form-login-config>
  </login-config>
  <!-- Security roles referenced by this web application -->
  <security-role>
    <role-name>role1</role-name>
  </security-role>
  <security-role>
    <role-name>tomcat</role-name>
  </security-role>
  <security-role>
    <role-name>REGISTERED_USER</role-name>
  </security-role>
</web-app>

When I use group my in LDAP_ GROUP_ When a valid user in name performs login, request Getremoteuser() and request Getuserprincipal() works normally For my_ GROUP_ Name test user

String role = request.getParameter("role"); 
request.isUserInRole(role);

Work well

The problem is with roles_ The user role does not work when testing users Has anyone seen what I'm missing here?

Some additional information

I use Apache Tomcat v7 zero point two two

LDAP is opendj 2.4 five

Windows 7 operating system

Solution

I didn't use opendj, but according to https://wikis.forgerock.org/confluence/display/OPENDJ/Configure +There is no "mapping" between Apache + Tomcat + with + opendj + as + an + identity + store Tomcat role and LDAP rules, because the mapping is one-to-one and the name should be the same The LDAP groups you want to use should be defined as Tomcat roles, and you should use their names (web. XML) in the security role section of the web descriptor

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.

THE END

Java